Microsoft Sentinel in Action: Architect, design, implement, and operate Microsoft Sentinel as the core of your security solutions, 2nd Edition
- Length: 478 pages
- Edition: 2
- Language: English
- Publisher: Packt Publishing
- Publication Date: 2022-02-10
- ISBN-10: 1801815534
- ISBN-13: 9781801815536
- Sales Rank: #64159 (See Top 100 Books)
Learn how to set up, configure, and use Microsoft Sentinel to provide security incident and event management services for your multi-cloud environment
Key Features
- Collect, normalize, and analyze security information from multiple data sources
- Integrate AI, machine learning, built-in and custom threat analyses, and automation to build optimal security solutions
- Detect and investigate possible security breaches to tackle complex and advanced cyber threats
Book Description
Microsoft Sentinel is a security information and event management (SIEM) tool developed by Microsoft that helps you to integrate cloud security and artificial intelligence (AI). This book will enable you to implement Microsoft Sentinel and understand how it can help detect security incidents in your environment with integrated AI, threat analysis, and built-in and community-driven logic.
The book begins by introducing you to Microsoft Sentinel and Log Analytics. You’ll then get to grips with data collection and management, before learning how to create effective Microsoft Sentinel queries to detect anomalous behaviors and activity patterns. Moving ahead, you’ll learn about useful features such as entity behavior analytics and Microsoft Sentinel playbooks along with exploring the new bi-directional connector for ServiceNow. As you progress, you’ll find out how to develop solutions that automate responses needed to handle security incidents. Finally, you’ll grasp the latest developments in security, discover techniques to enhance your cloud security architecture, and explore how you can contribute to the security community.
By the end of this Microsoft Sentinel book, you’ll have learned how to implement Microsoft Sentinel to fit your needs and be able to protect your environment from cyber threats and other security issues.
What you will learn
- Implement Log Analytics and enable Microsoft Sentinel and data ingestion from multiple sources
- Get to grips with coding using the Kusto Query Language (KQL)
- Discover how to carry out threat hunting activities in Microsoft Sentinel
- Connect Microsoft Sentinel to ServiceNow for automated ticketing
- Find out how to detect threats and create automated responses for immediate resolution
- Use triggers and actions with Microsoft Sentinel playbooks to perform automations
Who this book is for
If you are an IT professional with prior experience in other Microsoft security products and Azure and are now looking to expand your knowledge to incorporate Microsoft Sentinel, then this book is for you. Security experts using an alternative SIEM tool who want to adopt Microsoft Sentinel as an additional service or as a replacement will also find this book useful.
Microsoft Sentinel in Action Second Edition Contributors About the authors About the reviewers Preface Who this book is for What this book covers To get the most out of this book Download the color images Conventions used Get in touch Share Your Thoughts Section 1: Design and Implementation Chapter 1: Getting Started with Microsoft Sentinel The current cloud security landscape The cloud security reference framework SOC platform components Mapping the SOC architecture Log management and data sources Operations platforms Threat intelligence and threat hunting SOC mapping summary Security solution integrations Cloud platform integrations Integrating with Amazon Web Services (AWS) Integrating with Google Cloud Platform (GCP) Integrating with Microsoft Azure Private infrastructure integrations Service pricing for Microsoft Sentinel Scenario mapping Step 1 – defining the new scenarios Step 2 – explaining the purpose Step 3 – the kill chain stage Step 4 – which solution will perform detection? Step 5 – what actions will occur instantly? Step 6 – severity and output Step 7 – what action should the analyst take? Summary Questions Further reading Chapter 2: Azure Monitor – Introduction to Log Analytics Technical requirements Introduction to Azure Monitor Log Analytics Planning a workspace Creating a workspace using the portal Creating a workspace using PowerShell or the CLI Creating an Azure Resource Management template Using PowerShell Using the CLI Exploring the Overview page Managing permissions for the workspace Enabling Microsoft Sentinel Exploring the Microsoft Sentinel Overview page The header bar The summary bar The Events and alerts over time section The Recent incidents section The Data source anomalies section The Potential malicious events section The Democratize ML for your SecOps section Connecting your first data source Obtaining information from Azure virtual machines Advanced settings for Log Analytics Agents management The Agents configuration options Computer Groups Summary Questions Further reading Section 2: Data Connectors, Management, and Queries Chapter 3: Managing and Collecting Data Choosing data that matters Understanding connectors Native connections – service to service Direct connections – service to service API connections Agent-based Configuring Microsoft Sentinel connectors Configuring Log Analytics storage options Calculating the cost of data ingestion and retention Reviewing alternative storage options Summary Questions Further reading Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel Introduction to TI Understanding STIX and TAXII Choosing the right intel feeds for your needs Implementing TI connectors Enabling the data connector Registering an app in Azure AD Configuring the MineMeld TI feed Confirming the data is being ingested for use by Microsoft Sentinel Summary Questions Further reading Chapter 5: Using the Kusto Query Language (KQL) Running KQL queries Introduction to KQL commands Tabular operators Query statements The let statement Scalar functions The ago() function String operators Summary Questions Further reading Chapter 6: Microsoft Sentinel Logs and Writing Queries An introduction to the Microsoft Sentinel Logs page Navigating through the Logs page The page header The Tables pane The Queries pane The Functions pane The Filter pane The KQL code window Running a query The Results window Learn more Writing a query The billable data ingested Map view of logins Other useful tables Summary Questions Further reading Section 3: Security Threat Hunting Chapter 7: Creating Analytic Rules An introduction to Microsoft Sentinel Analytics Types of analytic rules Navigating through the Analytics home page Creating an analytic rule Creating a rule from a rule template Creating a new rule using the wizard Managing analytic rules Summary Questions Further reading Chapter 8: Creating and Using Workbooks An overview of the Workbooks page The workbook header The Templates view Workbook detail view Missing required data types Saved template buttons Walking through an existing workbook Creating workbooks Creating a workbook using a template Creating a new workbook from scratch Editing a workbook Advanced editing Managing workbooks Workbook step types Text Query Metric Parameters Links/tabs Groups Advanced Settings Style Summary Questions Further reading Chapter 9: Incident Management Using the Microsoft Sentinel Incidents page The header bar The summary bar The search and filtering section Incident listing Incident details pane Using the Actions button Exploring the full details page The Timeline tab The Alerts tab The Bookmarks tab The Entities tab The Comments tab Investigating an incident Showing related alerts The Timeline button The Info button The Entities button The Insights button The Help button Summary Questions Further reading Chapter 10: Configuring and Using Entity Behavior Introduction to Microsoft Sentinel Entity behavior Enabling Entity behavior Overview of the Entity behavior page The header bar The search section Entities with alerts Overview of the Entity behavior details page Identifying information Notable events Insights Creating Entity behavior queries Header bar Activities list Activity details pane Adding a new activity Summary Questions Further reading Chapter 11: Threat Hunting in Microsoft Sentinel Introducing the Microsoft Sentinel Hunting page The header bar The summary bar The hunting queries list Hunting query details pane Working with Microsoft Sentinel hunting queries Adding a new query Editing a query Cloning a query Deleting a query Adding to Livestream Creating an analytics rule Working with livestream Working with bookmarks Creating a bookmark Viewing bookmarks Associating a bookmark with an incident Using Microsoft Sentinel notebooks The header bar The summary bar The notebook list The notebook details pane Creating a workspace Performing a hunt Developing a premise Determining data Planning a hunt Executing an investigation Responding Monitoring Improving Summary Questions Further reading Section 4: Integration and Automation Chapter 12: Creating Playbooks and Automation Introduction to Microsoft Sentinel playbooks Introduction to Microsoft Sentinel Automation The header bar The summary bar Automation rules listing Adding a new automation rule Playbook pricing Types of playbooks Overview of the Microsoft Sentinel connector Exploring the Playbooks tab Logic app listing Logic app settings page The menu bar The header bar The essentials section The Runs history section Creating a new playbook Using the Logic Apps Designer page The Logic Apps Designer header bar The Logic Apps Designer workflow editor section Creating a simple Microsoft Sentinel playbook Summary Questions Further reading Chapter 13: ServiceNow Integration for Alert and Case Management A brief history of Microsoft Sentinel and ServiceNow integration Integrating Microsoft Sentinel with ServiceNow ITSM using Microsoft Sentinel Logic Apps Integrating Azure security alert sources (not just Sentinel) with ServiceNow Security Incident Response via the Microsoft Graph Security API Integrating Microsoft Sentinel with ServiceNow Security Incident Response via an API directly to Microsoft Sentinel Steps to integrate Microsoft Sentinel with ServiceNow Configuring the Microsoft Azure portal Installing the Microsoft Sentinel integration plugin in ServiceNow Configuring the ServiceNow Sentinel plugin to authenticate to Microsoft Sentinel Creating profiles in the ServiceNow Sentinel integration plugin Summary Section 5: Operational Guidance Chapter 14: Operational Tasks for Microsoft Sentinel Dividing SOC duties SOC engineers SOC analysts Operational tasks for SOC engineers Daily tasks Weekly tasks Monthly tasks Ad hoc tasks Operational tasks for SOC analysts Daily tasks Weekly tasks Monthly tasks Ad hoc tasks Summary Questions Chapter 15: Constant Learning and Community Contribution Official resources from Microsoft Official documentation Tech community – blogs Tech community – forums Feature requests LinkedIn groups Other resources Resources for SOC operations MITRE ATT&CK® framework National Institute of Standards for Technology (NIST) Using GitHub GitHub for Microsoft Sentinel GitHub for community contribution Specific components and supporting technologies Kusto Query Language Jupyter Notebook Machine learning with Fusion Azure Logic Apps Summary Assessments Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 14 Why subscribe? Other Books You May Enjoy Work with AKS (Azure Kubernetes Service) and use it with service mesh technologies to design a microservices hosting platform Packt is searching for authors like you Share Your Thoughts
Donate to keep this site alive
How to download source code?
1. Go to: https://github.com/PacktPublishing
2. In the Find a repository… box, search the book title: Microsoft Sentinel in Action: Architect, design, implement, and operate Microsoft Sentinel as the core of your security solutions, 2nd Edition
, sometime you may not get the results, please search the main title.
3. Click the book title in the search results.
3. Click Code to download.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.